Can CISPA Be Fixed?

from the perhaps-not dept

We've been arguing for quite some time now that we'd like to see the actual evidence for why a "cybersecurity" bill is actually needed. We've heard fearmongering and warnings of planes falling from the skies, but no evidence that there's a real problem here -- or, if there is a problem, that it needs a legislative solution. And yet, still, CISPA moves forward. Of course, while we still believe that some amendments could fixsome of the more egregious problems with CISPA, there is still the big question of whether or not it's needed at all. Larry Downes has taken on the question of whether or not CISPA can be fixed and has decided that it cannot be, and that it represents a real threat to some key elements of the internet ecosystem. He lists out some key rules for policy makers (and goes into great detail on each, so click through):

Don’t legislate technology using definitions that are either too specific or too general

Don’t legislate technology until you can articulate concrete and calculable harms

Don’t encourage or require information sharing with the government unless it’s unavoidable

All of this seems quite reasonable... which is why it's an uphill battle to get people to follow through on it.

Reader Comments

CISPA is broken because of one fact...

It is not designed to actually protect people. People are the most prolific users of the internet, not the collectives like Government or Business. CISPA should fail because only protection that service the needs of the people first should ever be implemented.

complete waste of time considering no one is interested in even amending CISPA, let alone abandoning it.

the biggest change needed is one that prevents anyone from introducing a Bill until they have a reasonable amount of knowledge on the subject concerned in that Bill, and not just able to recite info parrot fashion!

is anyone else watching twitter?

I am noticing more and more "Sky is falling" senerios from reps who are supporting the bill or are voting for the bill...like OMG FOX BUSINESS WEBSITE MIGHT GET HAXORED!" from Mrs bachman...just...wow...really?

Re: Re: Re:

Take note that the second comment was made "exactly" 5 minutes after the first. Note also that the theme of the comments is the same (I hate Mike for no good reason!), and that they have no substance whatsoever.

I'm guessing this would be one of those situations where you really could hit two birds with one stone.

Re: Re: Broke needs fixed.

What a senseless waste to just throw them out like that. Utah and Idaho have Kidneys Kars, I don't see why the US couldn't do a Kidney Kongress thing. I'm sure at least half of our congress critters have harvestable organs.

Re:

I'm not arguing for more spying, but are people really looking at this from the point of view of a group of people (federal government leadership of the US) who feel personally vulnerable to death plots on a daily basis and who since 911 no longer feel this threat is theoretical?

Besides that, isn't it likely our military leaders who protect them and also see their own lives vulnerable are also pressing on legislators (and we know it's not easy for them to say not to these guys)?

To a lesser extent, a lot of major business leaders and wealthy individuals likely are pressing as well since they probably see major financial losses at risk (if not their own necks).

This personal threat aside, how can anyone argue point blank that preserving the state of order at the federal level is not in the best interests of individual Internet users? Do people really think the Internet will keep humming along without fights and blackouts if the federal government takes a brutal hit?

Again, this is not to argue for any specific proposal in this or any bill, but the comments sometimes suggest people aren't recognizing what can reasonably be an elevated state of fear in the collective mind of DC. Not only are some of their concerns legitimate, but if you don't understand where they are coming from, you will have a harder time being heard clearly. [I'm fairly sure these major groups opposing the bill have thought about this, and that should be one reason why they might be willing to accept an imperfect bill.]

Re: Re:

Again, this is not to argue for any specific proposal in this or any bill, but the comments sometimes suggest people aren't recognizing what can reasonably be an elevated state of fear in the collective mind of DC. Not only are some of their concerns legitimate, but if you don't understand where they are coming from, you will have a harder time being heard clearly.

I think most people understand all that pretty well. But that they have an irrationally elevated level of fear doesn't mean that we need to tolerate their irrational legislative responses.

With a very sharp knife

Re: Re:

[...] but are people really looking at this from the point of view of a group of people (federal government leadership of the US) who feel personally vulnerable to death plots on a daily basis and who since 911 no longer feel this threat is theoretical?

Anyone who feels that way is (a) an idiot and (b) a coward. They should be removed from public service immediately and permanently: they're simply not good enough to serve the citizens of the United States.

Re:

Re: Re:

If we're at so much risk why isn't the first step to improve our defenses? CISPA does absolutely nothing to incentivize basic IT security like patching vulnerabilities as quickly as possible and instead encourages pro-active monitoring of private communications by both third-parties service providers and the government. Does the bill do anything to encourage vulnerabilities are reported to vendors and patched as quickly as possible? No, in fact the nature of the bill is such that these kinds of things will go unreported so that 'they' won't know that the government knows that they exist. Which seems great for the government and their industry partners (but is actually just going to shoot them in the foot in the long run) and at the user level will actually make individuals less safe.

The bill doesn't preserve the state of order at the federal level. It creates an illusion of order at the federal level that will be disastrous for individual users and will ultimately leave the federal level more vulnerable longer term. That's without even getting into the major issue that broad immunity from liability presents in any bill.

Re: Re:

Oh, and since when does fucking 911 have a single solitary thing to do with cybersecurity? Were the plains hacked and remote piloted into the towers or something? Why is an actual, ultimate of low-tech, physical attack indicative at all that a cyber threat is 'no longer theoretical?'

Re: Broke needs fixed.

Re: Re:

This personal threat aside, how can anyone argue point blank that preserving the state of order at the federal level is not in the best interests of individual Internet users? Do people really think the Internet will keep humming along without fights and blackouts if the federal government takes a brutal hit?

What's wrong with writing a narrowly defined bill that can be used for real threats, not used for anything under the sun and which has real penalties for its abuse?

Is a denial of service attack on a web site really a serious enough threat that we need a new law and extra harsh new punishments to deal with it? Especially considering that it's the online equivalent of the Occupy Wallstreet movement. And should private companies really have blanket immunity for sharing customer's private data regardless of whether there was a valid reason to do so or not?

If this bill was written so that it only applied to cyber threats that actually endangered lives of threatened the stability of the net, and which included penalties for the abuse of said law, nobody would have a problem with it.